Using Trust Center extensions¶

Step 1: Create an extension manifest file¶

Create a manifest file that contains information and metadata about the various scanner packages and scanners:

1. Create a manifest file.

   The manifest file has the following requirements:

   • The name of the manifest file must be tc_extension_manifest.yml.

   • The tc_extension_manifest.yml file must exist at the root of the directory structure on the named stage where the Native App manifest.yml file resides.

   The manifest file lists the scanner package properties and all of the scanners that are included in the scanner package.

   Use the following definition for the manifest file:

   manifest_version: '2.0'
   scanner_packages:
   - id: ''
     name: ''
     short_description: ''
     description: ''
     scanners:
       - id: ''
         name: ''
         short_description: ''
         description: ''
         type: 'VULNERABILITY'
         callback:
           schema: ''
           name: ''
           version: ''
   

   Copy

   The manifest file has the following properties:

   Property	Description	Maximum number of characters
   manifest_version	Currently, only 2.0 is valid.	Not applicable
   scanner_packages.id	A unique identifier for the scanner package, which the provider must maintain for the scanner package’s lifetime. Only ASCII alphanumeric and underscore characters are supported. All of the configurations that the customer applies to a scanner package are persisted in Trust Center using this ID.	25
   scanner_packages.name	The name of the scanner package.	30
   scanner_packages.short_description	The short description of the scanner package.	150
   scanner_packages.description	The description of the scanner package.	700
   scanner_packages.scanners.id	A unique identifier for the scanner, which the provider must maintain for the scanner’s lifetime. Only ASCII alphanumeric and underscore characters are supported. All of the configurations that customers apply to a scanner are persisted in Trust Center using this ID.	25
   scanner_packages.scanners.name	The name of the scanner.	30
   scanner_packages.scanners.short_description	The short description of the scanner.	150
   scanner_packages.scanners.description	The long description of the scanner.	1,500
   scanner_packages.scanners.type	The type of the scanner. Currently, only VULNERABILITY is supported.	—
   scanner_packages.scanners.callback	The callback section for the scanner. Every scanner must have a callback section that specifies its schema, name, and version.	Not applicable
   scanner_packages.scanners.callback.schema	The schema for the stored procedure. The schema must exist in the setup_script.sql file. For more information about this file, see Step 3: Create an extension.	Not applicable
   scanner_packages.scanners.callback.name	The name of the stored procedure. The following requirements apply to the stored procedure: Currently, it must be named scan. The stored procedure name that is defined here must exist in the setup_script.sql file under the schema that is specified in callback.schema.	Not applicable
   scanner_packages.scanners.callback.version	The version of the stored procedure. Currently, only 1.0 is supported.	Not applicable

The following example shows the contents of a manifest file:

manifest_version: '2.0'
scanner_packages:
  - id: 'se_extension'
    name: 'Security Extension'
    short_description: 'Enhances security features and capabilities.'
    description: 'This extension provides additional security features and capabilities to the platform.'
    scanners:
      - id: 'es_check'
        name: 'NA event sharing check'
        short_description: 'Checks for NA event sharing configurations.'
        description: 'This scanner checks for event sharing configurations in the North America region.'
        type: 'VULNERABILITY'
        callback:
          schema: 'security_essentials_na_consumer_es_check'
          name: 'scan'
          version: '1.0'
      - id: 'se_mfa'
        name: 'MFA Required for Users'
        short_description: 'Ensures that MFA is required for all users.'
        description: 'This scanner checks that Multi-Factor Authentication (MFA) is enforced for all users in the system.'
        type: 'VULNERABILITY'
        callback:
          schema: 'security_essentials_mfa_required_for_users_check'
          name: 'scan'
          version: '1.0'
      - id: 'se_client'
        name: 'Client Security'
        short_description: 'Ensures that client security best practices are followed.'
        description: 'This scanner checks that client security best practices are enforced for all clients in the system.'
        type: 'VULNERABILITY'
        callback:
          schema: 'security_essentials_client_security'
          name: 'scan'
          version: '1.0'
      - id: 'cis_1_4'
        name: 'Extension CIS 1_4'
        short_description: 'Checks for compliance with CIS Benchmark 1.4.'
        description: 'This scanner checks for compliance with the CIS Benchmark 1.4, ensuring that security best practices are followed.'
        type: 'VULNERABILITY'
        callback:
          schema: 'security_essentials_cis1_4'
          name: 'scan'
          version: '1.0'
      - id: 'cis_3_1'
        name: 'Extension CIS 3_1'
        short_description: 'Checks for compliance with CIS Benchmark 3.1.'
        description: 'This scanner checks for compliance with the CIS Benchmark 3.1, ensuring that security best practices are followed.'
        type: 'VULNERABILITY'
        callback:
          schema: 'security_essentials_cis3_1'
          name: 'scan'
          version: '1.0'

Step 2: Create scanners¶

Create a versioned schema and a stored procedure that implements the scanner logic.

If the scanner package contains multiple scanners, then complete these steps for each scanner, using a different versioned schema for each scanner:

1. Create a versioned schema to host the scanner logic.

   The name of the schema must be the same as the schema specified for the scanner in the extension manifest file.

   For example, the following SQL statement creates a versioned schema that is named security_essentials_mfa_required_for_users:

   CREATE OR ALTER VERSIONED SCHEMA security_essentials_mfa_required_for_users;
   

   Copy

2. Create a stored procedure that implements the scanner logic.

   The following example creates a stored procedure named scan in the security_essentials_mfa_required_for_users schema:

   CREATE OR REPLACE PROCEDURE security_essentials_mfa_required_for_users.scan(
       run_id VARCHAR)
     RETURNS TABLE(
       risk_id VARCHAR,
       risk_name VARCHAR,
       total_at_risk_count NUMBER,
       scanner_type VARCHAR,
       risk_description VARCHAR,
       suggested_action VARCHAR,
       impact VARCHAR,
       severity VARCHAR,
       at_risk_entities ARRAY
     )
     LANGUAGE SQL
     AS
     $$
       -- Scanning logic --
     $$;
   

   Copy

   Verify that the stored procedure returns exactly one row for each severity and risk ID combination.

   The returned table must have following columns:

   Column	Type	Description
   risk_id	VARCHAR	The identifier for the risk.
   risk_name	VARCHAR	The name of the risk.
   total_at_risk_count	NUMBER	Total number of entities at risk for a scanner. For scenarios where the scanner doesn’t detect any violations, the value is 0. The maximum number of at risk entities is 1,000, and the maximum combined size of all values in an array is 128 MB.
   scanner_type	VARCHAR	Currently, only the VULNERABILITY scanner type is supported.
   risk_description	VARCHAR	The description of the risk.
   suggested_action	VARCHAR	Suggested action for remediation.
   impact	VARCHAR	Possible consequences of not addressing the risk.
   severity	VARCHAR	The severity level of the risk. The possible values are LOW, MEDIUM, HIGH, and CRITICAL.
   at_risk_entities	ARRAY of OBJECT values	The OBJECT values in the array have the following structure: [ { "entity_id": <id>, "entity_name": "<name>", "entity_object_type": "<type>", "entity_detail": { ..., -- custom data } }, ... ] The OBJECT values contain the following key-value pairs: entity_id - An optional field that corresponds to the ID of the entity at risk. entity_name - A required field that corresponds to the name of the entity at risk. entity_object_type - A required field that corresponds to the type of the entity at risk. For example: APPLICATION, TASK, NETWORK_POLICY, SECURITY_INTEGRATION, ROLE, PROCEDURE, QUERY, DRIVER, PARAMETER, TABLE, STAGE, DATA_MASKING_POLICY, or ROW_ACCESS_POLICY. entity_detail - Custom data that describes the entity. The maximum size of an array is 128 MB. For scenarios where the scanner doesn’t detect any violations, the value is an empty list.

Step 3: Create an extension¶

An extension bundles scanner packages in a Native App, makes them accessible to the Trust Center, and configures the privileges to allow the Trust Center to invoke the required stored procedures.

To create an extension, complete the following steps:

1. Create a setup_script.sql file for the extension by following the instructions in Create a setup script.

   In the setup_script.sql file, create an application role named trust_center_integration_role.

   Then, grant the required privileges on the versioned schema and stored procedure to that application role.

   The following example shows how to create the application role trust_center_integration_role, and then grant the required privileges:

   CREATE APPLICATION ROLE IF NOT EXISTS trust_center_integration_role;
   
   GRANT USAGE ON SCHEMA security_essentials_mfa_required_for_users
     TO APPLICATION ROLE trust_center_integration_role;
   
   GRANT USAGE ON PROCEDURE security_essentials_mfa_required_for_users.scan(VARCHAR)
     TO APPLICATION ROLE trust_center_integration_role;
   

   Copy

   The privileges are required for every scanner in the package.

2. Create a manifest.yml file for the extension by following the instructions in Create the manifest file for an app.

   The following example shows the contents of a manifest.yml file for a Trust Center extension:

   manifest_version: 1
   artifacts:
     setup_script: setup_script.sql
     readme: README.md
   privileges:
     - IMPORTED PRIVILEGES ON SNOWFLAKE DB:
       description: "Required access to SNOWFLAKE.ACCOUNT_USAGE views to scan for vulnerabilities"
   

   Copy

3. Create an application package for the extension by following the instructions in Create an application package.

4. Register a version of the application package by following the instructions in Register a version.

   To confirm that the application package has registered versions, you can run the SHOW VERSIONS IN APPLICATION PACKAGE.

5. Create an application that is based on a registered version by following the instructions in Create an app from a version or patch.

   To confirm that the application object was created, you can run the SHOW APPLICATIONS.

Step 4: Grant privileges¶

After you install the extension, grant the required privileges by completing the following steps:

1. Grant the privileges requested by the extension by following the instructions in Manage access requests using Snowsight.

2. To grant the trust_center_integration_role application role in the namespace of the extension to the SNOWFLAKE application, run the GRANT APPLICATION ROLE command:

   GRANT APPLICATION ROLE <extension_name>.trust_center_integration_role
     TO APPLICATION snowflake;
   

   Copy

   For example, to grant the tc_extension.trust_center_integration_role application role to the SNOWFLAKE application, run the following command:

   GRANT APPLICATION ROLE tc_extension.trust_center_integration_role
     TO APPLICATION snowflake;
   

   Copy

Step 5: Register the extension¶

You can register or deregister an extension by calling the following stored procedures:

• SNOWFLAKE.TRUST_CENTER.REGISTER_EXTENSION

• SNOWFLAKE.TRUST_CENTER.DEREGISTER_EXTENSION

To register an extension with the Trust Center, complete the following steps:

1. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

2. Call the SNOWFLAKE.TRUST_CENTER.REGISTER_EXTENSION stored procedure.

   To view details about the extension, you can run the SHOW APPLICATIONS command. The application package or listing identifier is in the source column.

   For example, to register an extension named tc_extension that was installed from the application package named my_tc_package, call the stored procedure:

   CALL SNOWFLAKE.TRUST_CENTER.REGISTER_EXTENSION(
     'APPLICATION PACKAGE',
     'my_tc_package',
     'tc_extension');
   

   Copy

   You can display information about your registered extensions by querying the EXTENSIONS view.

   Note

   To deregister an extension, call the SNOWFLAKE.TRUST_CENTER.DEREGISTER_EXTENSION stored procedure.

3. Confirm that the scanner package provided by the extension is now in the list of Trust Center scanner packages by following the instructions in see View available scanner packages.

Step 6: Test the extension¶

After granting the privileges and enabling the scanner package, test the extension and examine the results generated by the scanner by querying the SNOWFLAKE.TRUST_CENTER.FINDINGS view. If a scanner run has failed, you can check the ERROR_CODE and ERROR_MESSAGE to debug the scanner failure.

You can also monitor telemetry data for Trust Center extensions by using the views in the DATA_SHARING_USAGE schema. For example, you can find the number of installed instances of the extension by querying the APPLICATION_STATE view, and you can monitor consumer usage of an extension by querying the LISTING_ACCESS_HISTORY view.

Step 1: Discover and install extensions¶

You can discover and install a Trust Center extension that was published to the Snowflake Marketplace or shared by using private listings. Trust Center extensions can contain one or more scanner packages.

To discover and install an extension, follow these steps:

1. Sign in to Snowsight.

2. Switch to a role that has been granted the SNOWFLAKE.TRUST_CENTER_ADMIN application role.

   For more information about granting this role, see Required privileges.

3. In the navigation menu, select Governance & security » Trust Center.

4. Select the Manage scanners tab.

5. To view a list of extensions that are available to your account, select Extensions.

6. Select the extension that you want to install.

   The Snowflake Marketplace page for the extension opens.

7. To access the listing, select Get.

8. Optional: For Application name, enter a name.

9. To install the extension, select Get.

When the installation is complete, a Snowsight notification appears, and an email is sent to the email address associated with your account.

For more information about installing Native Apps, see Use and manage Snowflake Native Apps as a consumer.

Step 2: Manage the new scanner packages¶

When you install an extension, you can then install one or more scanner packages. To view the newly installed scanner packages, complete the following steps:

1. Sign in to Snowsight.

2. Switch to a role that has been granted the SNOWFLAKE.TRUST_CENTER_ADMIN application role.

   For more information about granting this role, see Required privileges.

3. In the navigation menu, select Governance & security » Trust Center.

4. Select the Manage scanners tab.

   In the list of scanner packages, the following information is displayed for each new scanner package:

   • NAME - The name of the new scanner package.

   • SOURCE - The name of the extension that you installed.

   • SCANNERS - The number of enabled and disabled scanners in the scanner package.

   • STATUS - The status of the scanner package. By default, new installed scanner packages are disabled.

5. To enable a new scanner package, complete the following steps:

   1. In the list of scanner packages, select the scanner package.

   2. On the scanner package page, select Enable package.

   3. To grant the privileges required by the new scanner package, select Grant.

   4. Select Enable.

   Repeat these steps for each new scanner package that you want to enable.

You can manage the new scanner package in the same way that you manage other scanner packages in the Trust Center. For example, you can schedule or disable the new scanner package. For more information, see Managing scanner packages.

You can manage the scanners in the new scanner package in the same way that you manage other scanners. For example, you can enable, disable, or schedule a scanner. For more information, see Managing scanners.

You can also monitor and manage the Native App associated with the extension directly. For more information, see Manage apps.

You can view the findings generated by the scanner packages that are installed with the extension by querying the SNOWFLAKE.TRUST_CENTER.FINDINGS view. For example, the following query returns the findings for the scanner packages that are installed with an extension that has a extension_id of 4486988721:

SELECT * FROM snowflake.trust_center.findings WHERE extension_id = 4486988721;

To find the identifiers for registered extensions, query the EXTENSIONS view.

For more information about Trust Center findings, see Findings and View security risks.